Detecting taint mode
Aaron Crane
perl at aaroncrane.co.uk
Sun Feb 25 21:17:09 GMT 2007
David Cantrell writes:
> Anyone got a nifty way of detecting whether you're running in taint-mode
> which doesn't rely on ${^TAINT}? Cos that magic variable ain't
> available in 5.6.2.
Try doing something with no important side-effects that would be
forbidden under tainting, and see whether you get an exception?
I haven't thought through all the issues -- and certainly I wouldn't
expect this particular code to work unchanged on Windows -- but it seems
to accomplish the desired goal:
$ /opt/perl562/bin/perl -lwe 'open my $fh, $^X or die "cannot open $^X"; my $line = <$fh>; my $len = length $line; eval { system "/bin/echo $len > /dev/null" }; my $tainting_enabled = !!$@; print $tainting_enabled'
$ /opt/perl562/bin/perl -Tlwe 'open my $fh, $^X or die "cannot open $^X"; my $line = <$fh>; my $len = length $line; eval { system "/bin/echo $len > /dev/null" }; my $tainting_enabled = !!$@; print $tainting_enabled'
1
I think the most useful trick there is the use of C<length> to produce
a safe piece of data that Perl's conservative taint-propagation thinks
is unsafe. ("Safe" in the sense that it can't cause code-injection
bugs, anyway.)
--
Aaron Crane
More information about the london.pm
mailing list